#! /bin/bash

jugment(){
if [ $? -eq 0 ];then
	 echo "成功。"
else    
         echo "失败！"
fi 

}


# 1.开启反路径过滤
cat <<EOF >> /etc/sysctl.conf
net.ipv4.conf.all.accept_redirects=0
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.ip_forward = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.all.accept_redirects=0

EOF
jugment

# 2.检查口令锁定策略
if [ -e /etc/pam.d/system-auth_bak ];then
	sed -i '5 i\auth        required      pam_tally2.so onerr=fail deny=5 unlock_time=900 even_deny_root' /etc/pam.d/system-auth
	sed -i 's/# deny = 3/deny = 5/' /etc/security/faillock.conf
	sed -i 's/# unlock_time = 600/unlock_time = 900/' /etc/security/faillock.conf
	sed -i 's/# even_deny_root/even_deny_root/' /etc/security/faillock.conf
else
	cp -p /etc/pam.d/system-auth        /etc/pam.d/system-auth_bak
	cp -p /etc/security/faillock.conf  /etc/security/faillock.conf_bak
    sed -i '5 i\auth required pam_tally2.so onerr=fail deny=5 unlock_time=900 even_deny_root' /etc/pam.d/system-auth
	sed -i 's/# deny = 3/deny = 5/' /etc/security/faillock.conf
	sed -i 's/# unlock_time = 600/unlock_time = 900/' /etc/security/faillock.conf
	sed -i 's/# even_deny_root/even_deny_root/' /etc/security/faillock.conf
fi
jugment

# 3.检查用户umask
if [ -e /etc/profile_bak ];then
        sed -i -e 's/umask 002/umask 027/' -e 's/umask 022/umask 027/'  /etc/profile
        sed -i -e 's/umask 002/umask 027/' -e 's/umask 022/umask 027/'  /etc/bashrc
        #sed -i 's/^UMASK/UMASK           077/'                       /etc/login.defs  
else
        cp -p /etc/profile /etc/profile_bak
        cp -p /etc/bashrc /etc/bashrc_bak
        sed -i -e 's/umask 002/umask 027/' -e 's/umask 022/umask 027/'  /etc/profile
        sed -i -e 's/umask 002/umask 027/' -e 's/umask 022/umask 027/'  /etc/bashrc
        #sed -i 's/^UMASK/UMASK           077/'                       /etc/login.defs
fi
jugment

# 4.限制root远程直接登录
if [ -e /etc/ssh/sshd_config_bak ];then
        sed -i 's/^#PermitRootLogin/PermitRootLogin yes/'      /etc/ssh/sshd_config
        #sed -i '/PermitRootLogin/s/.*/PermitRootLogin yes/'    /etc/ssh/sshd_config
else
        cp -p /etc/ssh/sshd_config    /etc/ssh/sshd_config_bak
        sed -i 's/^#PermitRootLogin/PermitRootLogin yes/'      /etc/ssh/sshd_config
        #sed -i '/PermitRootLogin/s/.*/PermitRootLogin yes/'    /etc/ssh/sshd_config  
fi
jugment

# 5.对日志大小进行配置
cat <<EOF > /etc/logrotate.d/warn
size 10M

EOF
jugment

# 6.设置重复登录失败后锁定时间限制
# 这个和第二条的操作一模一样，这里就不再重复了。

# 7.设置登录成功后警告Banner
if [ -e /etc/motd  ];then
        echo " Authorized users only. All activity may be monitored and reported " >> /etc/motd
else
        echo " Authorized users only. All activity may be monitored and reported " > /etc/motd
fi
jugment

# 8.口令生存周期
if [ -e /etc/login.defs_bak ];then
        sed -i -e 's/^PASS_MAX_DAYS/PASS_MAX_DAYS   90/' -e 's/^PASS_MIN_DAYS/PASS_MIN_DAYS   6/' -e '/^PASS_WARN_AGE/PASS_WARN_AGE   7/' -e 's/^PASS_MIN_LEN/PASS_MIN_LEN    8/'
else
        cp -p /etc/login.defs /etc/login.defs_bak
        sed -i -e 's/^PASS_MAX_DAYS/PASS_MAX_DAYS   90/' -e 's/^PASS_MIN_DAYS/PASS_MIN_DAYS   6/' -e '/^PASS_WARN_AGE/PASS_WARN_AGE   7/' -e 's/^PASS_MIN_LEN/PASS_MIN_LEN    8/'
fi
jugment

# 8.配置超时参数
if [ -e /etc/profile_bak -a -e /etc/csh.cshrc_bak ];then
        echo ""           >> /etc/profile
        echo ""             >> /etc/csh.cshrc
        echo "TMOUT=1800" >> /etc/profile
        echo "export TMOUT" >> /etc/profile
        echo "set autologout=1800" >> /etc/csh.cshrc
elif [ -e /etc/profile_bak ];then
        cp -p /etc/csh.cshrc /etc/csh.cshrc_bak
        echo ""           >> /etc/profile
        echo ""             >> /etc/csh.cshrc
        echo "TMOUT=1800" >> /etc/profile
        echo "export TMOUT" >> /etc/profile
        echo "set autologout=1800" >> /etc/csh.cshrc
else
        cp -p /etc/profile /etc/profile_bak
        cp -p /etc/csh.cshrc /etc/csh.cshrc_bak
        echo ""           >> /etc/profile
        echo ""             >> /etc/csh.cshrc
        echo "TMOUT=1800" >> /etc/profile
        echo "export TMOUT" >> /etc/profile
        echo "set autologout=1800" >> /etc/csh.cshrc
 
fi
jugment

# 9.开启命令及登陆失败记录
echo "" >> /etc/login.defs
echo "LASTLOG_ENAB   yes" >> /etc/login.defs
echo "FAILLOG_ENAB   yes" >> /etc/login.defs
jugment

echo "常规的合规已处理完毕，剩下的合规为了保险起见请手动完成。"

